ADVISORY GUIDELINES ON KEY CONCEPTS IN THE PDPA
19
The Transfer Limitation Obligation
19.1
Section 26 of the PDPA limits the ability of an organisation to transfer
personal data outside Singapore. In particular, section 26(1) provides that an
organisation must not transfer any personal data to a country or territory
outside Singapore except in accordance with requirements prescribed under
the PDPA to ensure that organisations provide a standard of protection to
personal data so transferred that is comparable to the protection under the
PDPA. This requirement not to transfer personal data unless in accordance
with the prescribed requirements is referred to in these Guidelines as the
Transfer Limitation Obligation.
Conditions for transfer of personal data overseas
19.2
Regulations issued under the PDPA will specify the conditions under which an
organisation may transfer personal data overseas.
In essence, an
organisation may transfer personal data overseas if it has taken appropriate
steps to ensure that it will comply with the Data Protection Provisions in
respect of the transferred personal data while such personal data remains in
its possession or under its control; and if the personal data is transferred to a
recipient in a country or territory outside Singapore, that the recipient is bound
by legally enforceable obligations to provide to the personal data transferred a
standard of protection that is comparable to that under the PDPA. In this
regard, legally enforceable obligations include obligations imposed on the
recipient under:
a)
any law;
b)
any contract that:
c)
i.
requires the recipient to provide to the personal data
transferred to the recipient a standard of protection that is at
least comparable to the protection under the PDPA; and
ii.
specifies the countries and territories to which the personal
data may be transferred under the contract;
any binding corporate rules that20:
20
Such binding corporate rules may be adopted in instances where a recipient is an organisation
related to the transferring organisation and is not already subject to other legally enforceable
obligations (as described in those Regulations) in relation to the transfer. The Regulations further
provide that the recipient is related to the transferring organisation if:
a) the recipient, directly or indirectly, controls the transferring organisation;
93
ADVISORY GUIDELINES ON KEY CONCEPTS IN THE PDPA
d)
19.3
i.
require every recipient of the transferred personal data to
provide to the personal data transferred to the recipient a
standard of protection that is at least comparable to the
protection under the PDPA; and
ii.
specify the recipients of the transferred personal data to which
the binding corporate rules apply; the countries and territories to
which the personal data may be transferred under the binding
corporate rules; and the rights and obligations provided by the
binding corporate rules; or
any other legally binding instrument.
An organisation transferring personal data overseas is taken to have satisfied
the requirement to take appropriate steps to ensure that the recipient is bound
by legally enforceable obligations to provide to the personal data transferred a
standard of protection that is comparable to that under the PDPA if:
a)
subject to conditions, the individual whose personal data is to be
transferred gives his consent to the transfer of his personal data21;
b)
the transfer is necessary for the performance of a contract between
the organisation and the individual (for example, if the organisation
is a data intermediary of the individual pursuant to a contract
between them in relation to the transfer), or to do anything at the
individual’s request with a view to his entering a contract with the
organisation;
c)
the transfer is necessary for the conclusion or performance of a
contract between the organisation and a third party which is entered
into at the individual’s request, or which a reasonable person would
consider to be in the individual’s interest;
d)
the transfer is necessary for a use or disclosure in certain situations
where the consent of the individual is not required under the PDPA,
such as use or disclosure necessary to respond to an emergency
b) the recipient is, directly or indirectly, controlled by the transferring organisation; or
c) the recipient and the transferring organisation are, directly or indirectly, under the control of a
common person.
21
In order to rely on consent given by the individual, the organisation should (among other things)
provide the individual with a reasonable summary in writing of the extent to which the personal data
transferred to those countries and territories will be protected to a standard comparable to the
protection under the PDPA.
94
ADVISORY GUIDELINES ON KEY CONCEPTS IN THE PDPA
that threatens the life, health or safety of an individual.22 In such
cases, the organisation may only transfer personal data if it has
taken reasonable steps to ensure that the personal data will not be
used or disclosed by the recipient for any other purpose;
19.4
e)
the personal data is data in transit; or
f)
the personal data is publicly available in Singapore.
The examples below illustrate certain situations in which organisations may
transfer personal data overseas in compliance with the Transfer Limitation
Obligation.
Example:
Organisation ABC is transferring personal data of its customers to its parent
company overseas via the group’s centralised customer management
system. The conditions of the transfer, including the protections that will be
accorded to the personal data transferred, are set out in binding corporate
rules that apply to both Organisation ABC and its head office. Organisation
ABC has reviewed these binding corporate rules and assessed that they
comply with the conditions prescribed under the regulations and would
provide protection that is comparable to the standard under the PDPA. In
this case, Organisation ABC’s transfer of the personal data overseas would
be in compliance with the Transfer Limitation Obligation.
Example:
Karen purchases an overseas tour with travel agency DEF. In order to
perform its obligation under its contract with Karen to make the necessary
hotel reservations, travel agency DEF is required to transfer her personal
data (such as her name, nationality and passport number) overseas to the
hotels that Karen will be staying at during the tour. Travel agency DEF’s
transfer of Karen’s personal data in this case would be in compliance with the
Transfer Limitation Obligation as it is necessary for the performance of the
contract between travel agency DEF and Karen.
22
The specific situations are if the transfer is necessary for the personal data to be used under
paragraph 1(a), (b) or (d) of the Third Schedule to the PDPA or disclosed under paragraph 1(a), (b),
(c), (e) or (o) of the Fourth Schedule to the PDPA.
95
ADVISORY GUIDELINES ON KEY CONCEPTS IN THE PDPA
Example:
Cedric is a client of Organisation GHI. Organisation GHI notifies Cedric in
writing that it is adopting a cloud-based solution to store and analyse its client
data, which includes personal data such as clients’ identification details,
address, contact details and income range, and asks for Cedric’s consent to
move his client data to the cloud-based solution. Organisation GHI also
provides Cedric with a written summary of the extent to which Cedric’s
personal data will be protected to a standard comparable to that under the
PDPA, in the countries and territories that it will be transferred to. Should
Cedric provide his consent, Organisation GHI would be able to transfer his
personal data in compliance with the Transfer Limitation Obligation.
Example:
John is injured in an accident while travelling overseas. To aid John’s
treatment, his family doctor in Singapore transfers some of his medical
records (including personal data such as his identification details, blood type,
allergies, and existing medical conditions) to the hospital where John is
receiving medical attention, after confirming with the hospital that the
personal data will only be used for John’s medical treatment. In this case,
the transfer of John’s personal data would be in compliance with the Transfer
Limitation Obligation as the disclosure to the overseas hospital is necessary
to respond to an emergency that threatens John’s life, health or safety, and
John’s family doctor has taken reasonable steps to ensure that the personal
data transferred will not be used or disclosed by the recipient for any other
purpose.
Example:
Company JKL films a commercial at a location open to the public in
Singapore. The commercial captures images of individuals who pass by the
filming location. Company JKL wishes to transfer the commercial to its
overseas partners for use in an advertising campaign. In this instance,
Company JKL’s transfer of the commercial would be in compliance with the
Transfer Limitation Obligation as the personal data in the commercial would
96
ADVISORY GUIDELINES ON KEY CONCEPTS IN THE PDPA
be publicly available to the extent that the filming of images would be
reasonably expected at that location 23.
Scope of contractual clauses
19.5
S/N
1
2
3
4
5
6
7
19.6
In setting out contractual clauses that require the recipient to comply with a
standard of protection in relation to the personal data transferred to him that is
at least comparable to the protection under the PDPA, a transferring
organisation should minimally set out protections with regard to the following:
Area of protection
Purpose of collection, use
and disclosure by recipient
Accuracy
Protection
Retention limitation
Policies on personal data
protection
Access
Correction
Recipient is:
Data Intermediary 24 Organisation (except
data intermediary)









The above table reflects the position under the PDPA that certain Data
Protection Provisions are not imposed on a data intermediary in respect of its
processing of personal data on behalf of and for the purposes of another
organisation pursuant to a contract that is evidenced or made in writing.
However, it is expected that organisations engaging such data intermediaries
would generally have imposed obligations that ensure protection in the
relevant areas in their processing contract.
Data in transit
19.7
Data in transit refers to personal data transferred through Singapore in the
course of onward transportation to a country or territory outside Singapore,
without the personal data being accessed or used by, or disclosed to, any
23
While in this case the personal data may be publicly available, as noted in the sections on ‘publicly
available data’, Company JKL should, as best practice, put up notices at appropriate spots (e.g., at
the entrances to the location) to inform passers-by that filming is taking place.
24
For the purposes of this table, the term ‘data intermediary’ refers to a data intermediary processing
the personal data on behalf of and for the purposes of the transferring organisation pursuant to a
contract evidenced or made in writing.
97
ADVISORY GUIDELINES ON KEY CONCEPTS IN THE PDPA
organisation (other than the transferring organisation or an employee of the
transferring organisation acting in the course of his employment with the
transferring organisation) while the personal data is in Singapore, except for
the purpose of such transportation. An example of data in transit would be
data from overseas passing through servers within Singapore enroute to its
destination overseas. An organisation transferring personal data overseas will
be deemed to comply with the Transfer Limitation Obligation in respect of data
in transit.
98